Microsoft has provided a $50000 (roughly Rs 37 lakhs) bounty to Laxman Muthiyah, a Chennai-based security researcher, for bringing attention to a “potential vulnerability” on Microsoft online services. In a blog post, Muthiyah claimed that the vulnerability might have allowed someone to take control of any Microsoft account on the company’s online services without consent.
Microsoft’s security team has since fixed the vulnerability. Muthiyah earned the award as part of Microsoft’s Identity Bounty Program. The flaw in Microsoft’s online services, according to the security researcher, is close to a flaw in Instagram that he previously found.
Microsoft awards $50000 to a developer in Chennai: What was the flaw in the system?
Muthiyah planned to gain access to anyone’s Microsoft online account by exploiting a flaw in the forgot password tab, which requires a user to enter a seven-digit code sent to their email address or phone number to reset their password.
“We’ll have to enter the 7-digit security code once we get it to reset the password. We can reset any user’s password without permission if we can bruteforce all the combinations of 7 digit codes (which would be 107 = 10 million codes)”, he explained.
“However, there will undoubtedly be certain rate limitations that prohibit us from making a large number of attempts.” He was able to spot the vulnerability that allowed him to take over someone’s account on Microsoft online services after a few days of effort.
In November, Microsoft released a fix for the issue.
“I immediately captured a video of all the bypasses and sent it to Microsoft, along with clear instructions on how to replicate the flaw. They were swift to acknowledge the issue, according to the researcher. Microsoft fixed the problem in November 2020, according to the researcher. As a result, Muthiyah was given a $50,000 bounty on February 9, 20201, he announced.